dbus: set process group id
This stops signals sent by the TTY driver from propagating to the xdg-dbus-proxy process. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
parent
5a732d153e
commit
39dc8e7bd8
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -110,7 +110,7 @@ func (p *Proxy) Start(ctx context.Context, output io.Writer, sandbox bool) error
|
||||
bc.Bind(k, k)
|
||||
}
|
||||
|
||||
h = helper.MustNewBwrap(bc, toolPath, p.seal, argF, nil, nil)
|
||||
h = helper.MustNewBwrap(bc, toolPath, true, p.seal, argF, nil, nil)
|
||||
p.bwrap = bc
|
||||
}
|
||||
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"slices"
|
||||
"strconv"
|
||||
"sync"
|
||||
"syscall"
|
||||
|
||||
"git.gensokyo.uk/security/fortify/helper/bwrap"
|
||||
"git.gensokyo.uk/security/fortify/helper/proc"
|
||||
@ -23,6 +24,9 @@ type bubblewrap struct {
|
||||
// name of the command to run in bwrap
|
||||
name string
|
||||
|
||||
// whether to set process group id
|
||||
setpgid bool
|
||||
|
||||
lock sync.RWMutex
|
||||
*helperCmd
|
||||
}
|
||||
@ -38,6 +42,10 @@ func (b *bubblewrap) Start(ctx context.Context, stat bool) error {
|
||||
}
|
||||
|
||||
args := b.finalise(ctx, stat)
|
||||
if b.setpgid {
|
||||
b.Cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
|
||||
}
|
||||
|
||||
b.Cmd.Args = slices.Grow(b.Cmd.Args, 4+len(args))
|
||||
b.Cmd.Args = append(b.Cmd.Args, "--args", strconv.Itoa(int(b.argsFd)), "--", b.name)
|
||||
b.Cmd.Args = append(b.Cmd.Args, args...)
|
||||
@ -48,12 +56,12 @@ func (b *bubblewrap) Start(ctx context.Context, stat bool) error {
|
||||
// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
|
||||
// Function argF returns an array of arguments passed directly to the child process.
|
||||
func MustNewBwrap(
|
||||
conf *bwrap.Config, name string,
|
||||
conf *bwrap.Config, name string, setpgid bool,
|
||||
wt io.WriterTo, argF func(argsFD, statFD int) []string,
|
||||
extraFiles []*os.File,
|
||||
syncFd *os.File,
|
||||
) Helper {
|
||||
b, err := NewBwrap(conf, name, wt, argF, extraFiles, syncFd)
|
||||
b, err := NewBwrap(conf, name, setpgid, wt, argF, extraFiles, syncFd)
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
} else {
|
||||
@ -65,7 +73,7 @@ func MustNewBwrap(
|
||||
// If wt is nil, the child process spawned by bwrap will not get an argument pipe.
|
||||
// Function argF returns an array of arguments passed directly to the child process.
|
||||
func NewBwrap(
|
||||
conf *bwrap.Config, name string,
|
||||
conf *bwrap.Config, name string, setpgid bool,
|
||||
wt io.WriterTo, argF func(argsFd, statFd int) []string,
|
||||
extraFiles []*os.File,
|
||||
syncFd *os.File,
|
||||
@ -73,6 +81,7 @@ func NewBwrap(
|
||||
b := new(bubblewrap)
|
||||
|
||||
b.name = name
|
||||
b.setpgid = setpgid
|
||||
b.helperCmd = newHelperCmd(b, BubblewrapName, wt, argF, extraFiles)
|
||||
|
||||
if v, err := NewCheckedArgs(conf.Args(syncFd, b.extraFiles, &b.files)); err != nil {
|
||||
|
||||
@ -31,7 +31,7 @@ func TestBwrap(t *testing.T) {
|
||||
})
|
||||
|
||||
h := helper.MustNewBwrap(
|
||||
sc, "fortify",
|
||||
sc, "fortify", false,
|
||||
argsWt, argF,
|
||||
nil, nil,
|
||||
)
|
||||
@ -44,7 +44,7 @@ func TestBwrap(t *testing.T) {
|
||||
|
||||
t.Run("valid new helper nil check", func(t *testing.T) {
|
||||
if got := helper.MustNewBwrap(
|
||||
sc, "fortify",
|
||||
sc, "fortify", false,
|
||||
argsWt, argF,
|
||||
nil, nil,
|
||||
); got == nil {
|
||||
@ -64,7 +64,7 @@ func TestBwrap(t *testing.T) {
|
||||
}()
|
||||
|
||||
helper.MustNewBwrap(
|
||||
&bwrap.Config{Hostname: "\x00"}, "fortify",
|
||||
&bwrap.Config{Hostname: "\x00"}, "fortify", false,
|
||||
nil, argF,
|
||||
nil, nil,
|
||||
)
|
||||
@ -74,7 +74,7 @@ func TestBwrap(t *testing.T) {
|
||||
helper.InternalReplaceExecCommand(t)
|
||||
|
||||
h := helper.MustNewBwrap(
|
||||
sc, "crash-test-dummy",
|
||||
sc, "crash-test-dummy", false,
|
||||
nil, argFChecked,
|
||||
nil, nil,
|
||||
)
|
||||
@ -98,6 +98,11 @@ func TestBwrap(t *testing.T) {
|
||||
})
|
||||
|
||||
t.Run("implementation compliance", func(t *testing.T) {
|
||||
testHelper(t, func() helper.Helper { return helper.MustNewBwrap(sc, "crash-test-dummy", argsWt, argF, nil, nil) })
|
||||
testHelper(t, func() helper.Helper {
|
||||
return helper.MustNewBwrap(
|
||||
sc, "crash-test-dummy", false,
|
||||
argsWt, argF, nil, nil,
|
||||
)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
@ -125,7 +125,7 @@ func Main() {
|
||||
seccomp.CPrintln = log.Println
|
||||
}
|
||||
if b, err := helper.NewBwrap(
|
||||
conf, path.Join(fst.Tmp, "sbin/init"),
|
||||
conf, path.Join(fst.Tmp, "sbin/init"), false,
|
||||
nil, func(int, int) []string { return make([]string, 0) },
|
||||
extraFiles,
|
||||
syncFd,
|
||||
|
||||
@ -29,7 +29,7 @@ func Exec(ctx context.Context, p string) ([]*Entry, error) {
|
||||
Syscall: &bwrap.SyscallPolicy{DenyDevel: true, Multiarch: true},
|
||||
NewSession: true,
|
||||
DieWithParent: true,
|
||||
}).Bind("/", "/").DevTmpfs("/dev"), toolPath,
|
||||
}).Bind("/", "/").DevTmpfs("/dev"), toolPath, false,
|
||||
nil, func(_, _ int) []string { return []string{p} },
|
||||
nil, nil,
|
||||
); err != nil {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user